Google’s been catching a lot of privacy flak recently. Just this week, various news organizations picked up the story that Google had filed a brief back in June arguing that sending emails to someone else waives any reasonable expectation of privacy as to the content of those emails. I think the furor that has erupted is somewhat overblown, but that’s not what I want to focus on right now.
Rather, I want to focus on a different Google privacy argument from June. My post last week mentioned Google’s argument to the Ninth Circuit that the Wiretap Act does not protect unencrypted wi-fi signals. This argument has a lot of practical significance. Although the number is dwindling, many people still have unencrypted home wireless networks. Wi-fi hotspots, such as those found in coffee shops and airports, are often unencrypted. And many devices emit all sorts of unencrypted information on a regular basis, which an unscrupulous individual or company could use to track people. If Google is correct, all of that tracking and snooping would be be legally in the clear, at least as far as the Wiretap Act is concerned. The oral argument was two months ago, so a decision could come down at any time.
I began this post as a quick explanation of why I think Google’s argument is mistaken. I’d read the relevant statutory language probably a dozen times or more, and I thought Google’s interpretation was simply wrong. But the Wiretap Act is so convoluted that it is dangerous to draw conclusions without thoroughly mapping out a path through all the definitions and exceptions and exceptions to definitions. After having done that for this post, I don’t think Google’s argument is quite so wrong-headed anymore. But (insert dramatic twist musical cue here) I now believe it should ultimately fail anyway, for a reason I haven’t seen anyone mention–either because it’s eluded everyone else, or because it is so obviously wrong no one has bothered. Caveat emptor.
Much like the Wiretap Act itself, this post is going to be long and detailed, so I’ve broken it up into four (!) parts. In this part, I’ll explain the Ninth Circuit litigation and the basic arguments of the parties. In Part II, I’ll explain why I think Google’s arguments are stronger than an initial read might suggest. In Part III, I’ll make a foray into the legislative history to try to figure out how the Wiretap Act got the way it is. Finally in Part IV, I’ll explore whether Google should still lose based on a close look at how wi-fi actually works.
First, some background. Google has for years assembled a vast amount of information about the appearance and navigation of city streets for its Google Maps service by sending vehicles to actually drive the streets and record what they saw there. Among other things, the Google vehicles take snapshots as they drive along the road, which are accessible through the Google Maps “Street View” function. But in order for Street View to work, Google has to have some way of correlating the snapshots with the exact location of the picture. For some reason, engineers at Google decided that a great way to do this would be to have its vehicles acquire and decipher packets from unencrypted home wireless routers along their route. To this day, it’s still unknown exactly why Google did this, and what it did with the information it collected, about 600 gigabytes’ worth. (Here is a New York Times graphic explaining what happened; more background.) There was an FCC investigation that ended inconclusively, and in addition a class action lawsuit in the Northern District of California. The Ninth Circuit appeal, Joffe v. Google, is from the district court’s denial of Google’s motion to dismiss, which the court certified for appeal.
Here is Google’s argument for why this does not violate the Wiretap Act (warning: like a lot of Wiretap Act arguments, it travels around between several different definitions and exceptions):
Google’s alleged acquisition of information sent over Plaintiffs’ unencrypted Wi-Fi networks did not violate the Wiretap Act. The statute makes it lawful to intercept “electronic communications” that are “readily accessible to the general public.” 18 U.S.C. § 2511(2)(g)(i). And when those electronic communications are also “radio communications,” the statute defines what “readily accessible to the general public” means: such a communication is expressly designated as “readily accessible to the general public” unless it falls within one of five specific exceptions. 18 U.S.C. § 2510(16). Plaintiffs have not alleged (and cannot plausibly allege) that any of those exceptions applies here.
Let’s sort this out. We’ll start with the basic structure of the Wiretap Act. Section 2511(1) contains the heart of the statute, providing that any person who “intentionally intercepts . . . any wire, oral, or electronic communication” commits a violation of the Wiretap Act. Most of the remainder of the Act carves out exceptions from this broad general prohibition on interception. But let’s note first that absent an exception, Google’s interception of wireless router packets in clearly within the scope of the Act. It was “intentional” — Google wasn’t accidentally picking up home router packets, as its most recent mea culpa makes clear; it was “interception,” defined as the acquisition of the contents of a communication by means of a device; and the communications in question were “electronic communications,” defined as “any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce,” other than voice communications by wire (a/k/a, “wire communications”) or in person (“oral communications”). In the case of wi-fi, we are dealing with data being transmitted by radio, i.e., electronic communications.
So the question is whether Google’s interceptions are within any exception. One exception immediately jumps out: under Section 2511(2)(g)(i), certain electronic communications are excluded from coverage under the Wiretap Act, namely, “an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public.” Since wireless network transmissions are “electronic communications,” the question is whether an unsecured wi-fi router is configured to make those communications “readily accessible to the general public.” That could get into a discussion of whether users reasonably expect such communications to remain private, but look, Google says, we don’t have to get into all that. There’s a statutory definition of “readily accessible to the general public,” and statutes can define terms however they want, even if that does not line up with common usage. In this case, the statute defines “readily accessible to the general public” as meaning a communication that is not:
(A) scrambled or encrypted;
(B) transmitted using modulation techniques whose essential parameters have been withheld from the public with the intention of preserving the privacy of such communication;
(C) carried on a subcarrier or other signal subsidiary to a radio transmission;
(D) transmitted over a communication system provided by a common carrier, unless the communication is a tone only paging system communication; or
(E) transmitted on frequencies allocated under part 25, subpart D, E, or F of part 74, or part 94 of the Rules of the Federal Communications Commission, unless, in the case of a communication transmitted on a frequency allocated under part 74 that is not exclusively allocated to broadcast auxiliary services, the communication is a two-way voice communication by radio . . . .
18 U.S.C. § 2510(16). We’ll come back to this series of exceptions, but Google argues that none of them apply. Certainly the transmissions at issue are not encrypted; that’s what the entire debate is over. If Google is correct that none of the other exceptions apply, then it looks as though unencrypted wi-fi transmissions are “readily accessible to the general public,” meaning they are unprotected against eavesdropping.
Ah, but I’ve left something out. As Judge Bybee suggested at oral argument, Google would win if the statute was just six words shorter. The definition of “readily accessible to the general public” begins: “‘[R]eadily accessible to the general public’ means, with respect to a radio communication, that such communication is not — (A) scrambled or encrypted . . . .” The definition of “readily accessible to the general public” is thus limited to “radio communications.” So what’s a “radio communication”? It’s unclear. There are definitions for “electronic communication,” “wire communication,” and “oral communication,” but there’s nothing for “radio communication.” Does it mean any communication by radio, whether it is data or sounds? Or does it only mean some subset of radio transmissions, e.g., voices and other sounds broadcast by radio?
The district court in Joffe, and the plaintiffs on appeal, argue the latter. The district court looked at the legislative history behind the Electronic Communications Privacy Act of 1986, which added the “radio communications” language, and concluded that “radio communications” was intended only to refer to “‘traditional radio services,’ or radio broadcast technology.” The court did not define exactly what it meant by these terms, but from the context it appears that the district court interpreted “radio communications” to mean transmissions of sounds, such as voices, by radio broadcast, and not data.
The term “radio communication” is used in only three places in the Wiretap Act. One of those is immediately after the exception in Section 2511(2)(g)(i) (“G1” for short) for electronic communications “readily accessible to the general public,” whatever that means. In the very next subsection, the Act provides that it is not a violation to intercept four specific sorts of “radio communications”; to wit, “any radio communication which is transmitted –”
(I) by any station for the use of the general public, or that relates to ships, aircraft, vehicles, or persons in distress;
(II) by any governmental, law enforcement, civil defense, private land mobile, or public safety communications system, including police and fire, readily accessible to the general public;
(III) by a station operating on an authorized frequency within the bands allocated to the amateur, citizens band, or general mobile radio services; or
(IV) by any marine or aeronautical communications system;
18 U.S.C. § 2511(2)(g)(ii) (“G2”). The common thread here is that all of these communications are made over systems whose primary purpose is public use. And, for the most part, they do appear to be systems for transmitting voice or sounds. The district court concluded further that the exceptions to ready accessibility in Section 2510(16) — encryption/scrambling, proprietary modulation, subcarriers, common carriers, and Part 25, 74, or 94 communications (again, I’ll go over these in more detail later) — all seem to involve “traditional radio services,” meaning apparently voice over radio.
And that would be consistent with the concerns expressed in the legislative history. Congress added the exceptions in G1 and G2 after ham radio and citizen’s band radio operators expressed concern that their activities would unwittingly come within the scope of the Wiretap Act. Before ECPA, the Wiretap Act applied only to wire communications and oral communications. A “wire communication” was defined broadly to include a voice communication transmitted over the radio, but only if at some point in its journey it traveled for a significant distance over a wire. Prior to ECPA, therefore, interception of a radio transmission made by hand-held equipment was not within the scope of the Wiretap Act. CB, ham radio, and short-wave radio enthusiasts were concerned that once radio transmissions with no wire travel were defined as “electronic communications” subject to the Act, they could be held liable just for tuning into a frequency in use. At least some of the language added in 1986 — Section 2511(2)(g)(ii)(III), for example — directly addresses this concern.
So, to recap, here’s the plaintiffs’/district court’s reading of the Wiretap Act: G1 contains an exception for “electronic communications” made readily accessible to the general public, and G2 contains exceptions for specific “radio communications.” The definition of “readily accessible” in 2510(16) — which requires encryption or some other technological limitation in order to make a transmission not readily accessible — applies only to “traditional radio services” — voice or sounds broadcast over radio. All of the activities listed in G2 are “traditional radio services,” but only some “electronic communications” in G1 are “traditional radio services,” namely radio broadcasts from a stand-alone transmitter. For all other electronic communications in G1, such as data transmitted over radio, the plain-English definition of “readily accessible to the general public” applies. And the plaintiffs have a pretty good argument that wi-fi transmissions, which require a packet sniffer to intercept and decode, do not meet the ordinary meaning of “readily accessible to the general public.”
There’s three significant problems with this reading of the statute, which I’ll cover in the next two posts. First, not all of the activities listed in G2 are voice-over-radio transmissions. Some are data transmissions, and would have obviously been data transmissions even in 1986. This undermines the “traditional radio services” interpretation of “radio communications.” Second, and worse, several of the exceptions to ready accessibility in 2510(16) make little sense if they are applied only to voice broadcasts. And third, the legislative history indicates that Congress drew, and continues to draw, very little distinction between electronic communications and radio communications — a fact which explains how we got into this mess to begin with.
[Cross-posted at the Marquette University Law Faculty Blog.]